The GDPR at two - what has it achieved?
Chris Strand, IntSights, Chief compliance officer, New York, 16 July 2020
When it became law in the European Union, the bureaucrats of Brussels heralded the General Data Protection Regulation as one of their greatest achievements in recent years. This May marked two years since the regulation came into force. In that time, national data protection authorities have levied some 240 fines that add up to nearly half a billion euros.
This might seem an impressive benchmark for the GDPR's success in keeping the information of all citizens and residents of the EU relatively private, but its achievements go far beyond this because it has influenced data protection around the world, not only among organisations but also among politicians.
A new standard for data protection
Many nations have had some sort of laws to protect digital data and privacy for many years now. According to the United Nations Conference on Trade and Development, which is actually less of a conference and more of a permanent inter-governmental body, 66% of the world’s countries have data-protection laws. Since the GDPR came into force, the importance of "data privacy" (the ability of the individual to shield his data from everybody except the state) has risen. This phenomenon has wrought good in a number of areas. Many jurisdictions around the world now see the GDPR as an example to follow. Shortly after it came into effect, both Canada and Australia made changes to their own data-privacy laws that emulated certain sections of it.
Article 4 of the GDPR defines "personal data" in a fairly broad way that takes in any information that someone can use to identify anyone directly or indirectly, such as his name, identifying number, location or details of his physical appearence or physiological, genetic, mental, economic, cultural or social identity. This works in the favour of consumers who live in the EU, as more or less any data that could identify them is protected. Businesses that deal with them have to ensure that all their data is secure.
India’s Personal Data Protection Bill has drawn heavily on the GDPR. The California Consumer Privacy Act, meanwhile, defines "personal data" in a narrower way.
Differing interpretations in the EU
One of the most interesting aspects of the GDPR is the fact that the European Union's 27 states interpret it in different ways. They have different rules regarding access to personal data and the obligations of firms to protect it. Germany is very rigid in this regard and has imposed 25 fines in the two years since the GDPR was introduced. France seems a little more relaxed, with the French regulator CNIL only having issued five fines in that time. Each country’s interpretation of the GDPR usually relates to its previous privacy laws and to the way in which it has handled data protection in the past.
The maturity of organisations’ approach to data compliance
Since May 2018 financial firms have become far more cognisant of their obligations to protect personal data. In the early days of the GDPR they were naive about the rules, especially if they had customers in the EU but did not themselves come from there. Organisations used to ask each other if they were GDPR compliant, which was not an encouraging state of affairs as the answer should have always been yes if they had a customer base in Europe. However, as time has moved on, they are more mature and we can see this in the questions that they are now asking about the specifics of compliance.
This is obvious from their attitudes to the job of the DPO. In the US, for example, many businesses simply used to appoint somebody from compliance to be the DPO who came from a field diametrically opposed to information privacy, dealing perhaps with licensing or system compliance, and who started off knowing little about how to keep data safe and respond to data subject access requests or DSARs. Now, businesses are starting to appreciate that people who have specific knowledge of data protection and DSARs ought to be their DPOs. These are usually legal professionals and should ideally be members of bodies such as the International Association of Privacy Practitioners (IAPP), which offers resources, support and training.
Where to next for the UK?
Now that the UK has left the Europen Union, there is a great opportunity for the country to pass a data protection law to suit itself. It would make sense for such a law to be largely in line with the GDPR as most businesses are now used to it and have the processes in place to comply. Any major deviation would force businesses to change their strategies again to fulfil their new obligations.
The UK might want to emulate some of the nuaunces to be found in the California Consumer Privacy Act, which is more specific about the data to be protected and only applies to companies that generate a gross revenue of more than US$25 million, thereby reducing the burden on smaller businesses.
There is no doubt that the GDPR has had a huge impact on data protection, not for just citizens of EU countries but also many other people around the world who are in jurisdictions that want to emulate it. This is surely an indication of success - after all, imitation is the highest form of flattery.